Home / Browse / Webware for Python / Mail / Archive

Webware for Python

Email Archive: webware-discuss (read-only)

RE: [Webware-discuss] Admin password rejected

From: Geoffrey Talvola <GTalvola@Pa...> - 2006-01-13 17:32

Christoph Zwerschke wrote:
> Geoffrey Talvola wrote:
>> I think the original reason for loginid was: suppose someone logs
>> in, then leaves their browser open for a while.  Their session
>> expires.  Now suppose someone else comes up to the browser, uses the
>> Back button to go back to the login screen, and then presses Forward
>> to re-post the username and password. The loginid is supposed to
>> prevent this from working. 

A common scenario where things can get posted more than once is if the user
uses the Back button to go back to a page that was a result of a post, and
then presses the Refresh button.  The browser will put up a popup offering
to re-post the variables.  If you don't want that to happen, you can have
the servlet that handles the post do a redirect.  This seems to prevent the
browser from ever re-posting the form -- instead, pressing the Refresh
button will re-get the page that was redirected to.

> Ok. There are other scenarios as well where you want things to happen
> only one time (for instance, database transactions). I wonder whether
> Webware could provide some methods to do this transparently so you
> don't have to invent and code this kind of things again and again.

Seems like a good idea.

- Geoff

Thread View

Thread	Author	Date
RE: [Webware-discuss] Admin password rejected	Geoffrey Talvola <GTalvola@Pa...>

Re: [Webware-discuss] Admin password rejected

From: Christoph Zwerschke <cito@on...> - 2006-01-13 17:00

Geoffrey Talvola wrote:
> I think the original reason for loginid was: suppose someone logs in, then
> leaves their browser open for a while.  Their session expires.  Now suppose
> someone else comes up to the browser, uses the Back button to go back to the
> login screen, and then presses Forward to re-post the username and password.
> The loginid is supposed to prevent this from working.

Ok. There are other scenarios as well where you want things to happen 
only one time (for instance, database transactions). I wonder whether 
Webware could provide some methods to do this transparently so you don't 
have to invent and code this kind of things again and again.

> As long as your newly modified code deletes the loginid as soon as it is
> used for a login, then it's fine.

Yes. The code still immediately clears the whole session after reading 
the login id. You can use it only one time.

-- Christoph

RE: [Webware-discuss] Admin password rejected

From: Geoffrey Talvola <GTalvola@Pa...> - 2006-01-13 17:32

Christoph Zwerschke wrote:
> Geoffrey Talvola wrote:
>> I think the original reason for loginid was: suppose someone logs
>> in, then leaves their browser open for a while.  Their session
>> expires.  Now suppose someone else comes up to the browser, uses the
>> Back button to go back to the login screen, and then presses Forward
>> to re-post the username and password. The loginid is supposed to
>> prevent this from working. 

A common scenario where things can get posted more than once is if the user
uses the Back button to go back to a page that was a result of a post, and
then presses the Refresh button.  The browser will put up a popup offering
to re-post the variables.  If you don't want that to happen, you can have
the servlet that handles the post do a redirect.  This seems to prevent the
browser from ever re-posting the form -- instead, pressing the Refresh
button will re-get the page that was redirected to.

> Ok. There are other scenarios as well where you want things to happen
> only one time (for instance, database transactions). I wonder whether
> Webware could provide some methods to do this transparently so you
> don't have to invent and code this kind of things again and again.

Seems like a good idea.

- Geoff